Botconf Author Listing

Albert Zsigovits

Last known affiliation: CUJO AI
Bio: Albert works as a Malware Researcher at CUJO AI. He started out as a traditional blue teamer early in his career, analyzing security events as an IDS analyst, and later investigating breaches as a senior incident responder for a Fortune 50 company. Later, he joined a respected anti-virus company to deepen his knowledge of reverse engineering. His specialties include malware analysis, memory forensics and signature development. Albert is a former speaker at SEC-T, DisobeyFi, Hacktivity and BSidesVienna.
Date: 2022-04-27
Evolution of the Sysrv mining botnet
György Lupták 🗣 | Dorka Palotay 🗣 | Albert Zsigovits

Abstract (click to view)

Sysrv-hello, or shortly Sysrv, is a botnet, which was first discovered in late December of 2020. The malware is written in Golang and targets both Linux and Windows endpoints. Based on its propagation style, it is a malicious worm, with one end-goal in mind: to spread and mine the Monero cryptocurrency. It targets vulnerable Windows and Linux-based servers using numerous exploits.

We have closely followed the development of the Sysrv botnet from the defender’s perspective and gained insights into its operation. The botnet is still active as of today and new variants are released every couple of days, introducing either a new mining pool or an added feature. In this presentation, we would like to share our general findings of the botnet and shed some light on the development cycle of the Sysrv family. We will go into details like propagation methods, utilized exploits, the evolution of first-stage scripts, and the overall development of the malicious binary.

For our analysis, we used the Ghidra reverse engineering framework and simultaneously developed many custom scripts to aid in our Go binary analysis. We will share these scripts during our talk and explain how the Sysrv botnet helped us improve our malware-fighting toolset.

Slides Icon
Scroll to Top